diff --git a/index.js b/index.js
index e4f53df..4f42c8e 100644
--- a/index.js
+++ b/index.js
@@ -4,10 +4,16 @@ const http = require('http').Server(app)
 const io = require('socket.io')(http)
 const port = process.env.PORT || 3000
 const rnd = require('randomcolor')
+const { RateLimiterMemory } = require('rate-limiter-flexible')
 
 // TODO: add a public page that redirects to the GitHub repository
 // app.use(express.static(__dirname + '/public'))
 
+const rateLimiter = new RateLimiterMemory({
+  points: 2, // 5 points
+  duration: 1, // per second
+})
+
 const chat = io.on('connection', socket => {
   socket.on('chat', data => {
     // console.log(`Message received: ${data}`)
@@ -40,14 +46,26 @@ const onUpdateGuest = socket => (guest, ack) => {
   // For now, there is no difference with onNewGuest
   onNewGuest(socket)(guest, ack)
 }
-const onUpdateUrlQuerySpec = socket => (newUrlQuerySpec, ack) => {
+const onUpdateUrlQuerySpec = socket => async (newUrlQuerySpec, ack) => {
   console.log('new urlQuerySpec')
-  const guest = guests.get(socket.id)
-  if (guest !== undefined) {
-    touch(guest)
-    urlQuerySpec = newUrlQuerySpec
-    socket.broadcast.emit('urlqueryspec', urlQuerySpec)
-    ack(urlQuerySpec)
+  try {
+    await rateLimiter.consume(socket.id) // consume 1 point per event from IP
+    const guest = guests.get(socket.id)
+    if (guest !== undefined) {
+      touch(guest)
+      if (urlQuerySpec !== newUrlQuerySpec) {
+        // ?
+        urlQuerySpec = newUrlQuerySpec
+        socket.broadcast.emit('urlqueryspec', urlQuerySpec)
+      }
+      ack(urlQuerySpec)
+    }
+    console.log('OK')
+  } catch (rejRes) {
+    // no available points to consume
+    // emit error or warning message
+    socket.emit('blocked', { 'retry-ms': rejRes.msBeforeNext })
+    console.log('Blocked')
   }
 }
 const onByeBye = socket => _ => {
diff --git a/package-lock.json b/package-lock.json
index 3843b35..4b39fa7 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -4282,6 +4282,11 @@
       "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
       "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg=="
     },
+    "rate-limiter-flexible": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/rate-limiter-flexible/-/rate-limiter-flexible-1.3.0.tgz",
+      "integrity": "sha512-GC4kM+KZ50FFm5nt4peDObhct7GHgLEZGfmsKnBg5rkGv6ImXjxdZU89cOnT171kDVwF0msZrYf5SAFqLfHA1g=="
+    },
     "raw-body": {
       "version": "2.4.0",
       "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.4.0.tgz",
diff --git a/package.json b/package.json
index 2814921..e010dd6 100644
--- a/package.json
+++ b/package.json
@@ -16,6 +16,7 @@
   "dependencies": {
     "express": "^4.17.1",
     "randomcolor": "^0.5.4",
+    "rate-limiter-flexible": "^1.3.0",
     "socket.io": "^2.3.0"
   },
   "engines": {